On Mon, Jul 22, 2024 at 04:21:21PM +0200, Hannes Reinecke wrote:
> + ret = nvme_auth_generate_digest(sq->ctrl->shash_id, psk, psk_len,
> + sq->ctrl->subsysnqn,
> + sq->ctrl->hostnqn, &digest);
> + if (ret) {
> + pr_warn("%s: ctrl %d qid %d failed to generate digest, error %d\n",
> + __func__, sq->ctrl->cntlid, sq->qid, ret);
> + goto out_free_psk;
> + }
> + ret = nvme_auth_derive_tls_psk(sq->ctrl->shash_id, psk, psk_len,
> + digest, &tls_psk);
> + if (ret) {
> + pr_warn("%s: ctrl %d qid %d failed to derive TLS PSK, error %d\n",
> + __func__, sq->ctrl->cntlid, sq->qid, ret);
> + goto out_free_digest;
> + }
This reuses 'psk' as both an HMAC key and as input keying material for HKDF.
It's *probably* still secure, but this violates cryptographic best practices in
that it reuses a key for multiple purposes. Is this a defect in the spec?
- Eric
